Security researchers have observed an unnamed threat actor exploiting a zero-day vulnerability in thousands of Cisco IOS XE devices since September 2023.
The maximum severity vulnerability, designated CVE-2023-20198, allows unauthenticated threat actors to gain administrative privileges on the affected device which could be used to monitor network traffic, perform man-in-the-middle attacks, install implants, and pivot into other networks served by the compromised router.
The researchers believe that thousands of devices may already be compromised with a malicious implant, and tens of thousands more remain vulnerable.
Cisco confirmed that it detected exploitation of the vulnerability in late September 2023 during an analysis of a customer’s device that was exhibiting suspicious behaviour. Further investigation of additional Cisco IOS XE devices revealed that a threat actor was able to combine vulnerabilities to create local user accounts and subsequently deploy malicious implants that enabled them to execute commands.
While a patch is not yet available, the vulnerability only affects internet-exposed Cisco IOS XE routers and switches that have the Web User Interface (Web UI) and HTTP/HTTPS Server features enabled. Cisco recommends turning off these features until a patch is available.
Source: Bleeping Computer
Analysis
Given that so many devices have already been compromised and many more remain vulnerable, it’s unfortunate that no advisory was released after Cisco first observed this threat in September. If there was, it’s very likely that the threat actor’s exploitation of this vulnerability would have been limited.
Given the vast number of vulnerable devices and the many uses they have for a threat actor once compromised, it’s likely that these Cisco devices will continue to be compromised. Furthermore, once a patch is released, it will likely be reverse-engineered so threat actors can retool their exploit for patched systems.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in devices like Cisco IOS XE. This research contributes to the timely deployment of signatures into Covalence, our flagship security solution, to detect and mitigate the exploitation of these vulnerabilities.
Covalence users were already notified of vulnerable Cisco devices detected in their environment and are encouraged to review these AROs as quickly as possible.
Users of Cisco IOS XE devices should immediately look for signs of compromise, identify and remove rogue administrative accounts, and disable the Web UI interface and HTTP/HTTPS Server function. Affected devices should be updated to the latest version as soon as a patch is available.
Related articles
